Configure and Implement the Proper Internal Controls Up Front for an Easier Audit

  • by Steve Biskie, Managing Director, High Water Advisors
  • December 15, 2008
Having to go back and change your SAP system or your related business processes to deal with audit concerns takes time away from your daily operations and results in unnecessary distractions. By configuring your SAP system appropriately and designing your related business processes to effectively address your business risks, you can save significant effort. This article provides an overview of how to set up your SAP system properly the first time. Learn how understanding common business risks and typical audit concerns and carefully managing the SAP implementation process to account for these risks and concerns can eliminate nearly 90% of all issues found by auditors.
Key Concept

Internal controls are processes that management puts into place either to prevent “bad” things from happening or to detect and deal with these “bad” things in a timely manner if they occur. Every organization has internal controls, and you encounter these controls frequently (even if you don’t recognize them as such). Edit checks configured within an SAP system to prevent erroneous input are one example of internal controls. Other examples include processes designed to prevent duplicate payments, procedures to ensure the confidentiality of pricing and purchasing arrangements, management reviews of SAP exception reports that assist in identifying and investigating potential problems, and training and education programs designed to reduce the likelihood of user error.

The longer the duration between your initial SAP design and configuration decisions and the identification of any related audit concerns, the more difficult, time consuming, and resource intensive it typically becomes to correct the issue. Audit concerns identified after your SAP go-live date can be costly for your organization. At best, they may expose your organization to significant risk; at worst, you may have errors or undesired entries flowing unchecked through your business transactions until you correct the underlying issues. Some decisions, such as how to structure your general ledger chart of accounts or how to set up your organizational units, are so integral to your operation that it may not be practical to make significant changes after implementation. By configuring your SAP system appropriately and designing your related business processes in a way that effectively addresses your business risks, you can save your organization a significant effort.

Given the complexity of SAP software and the number of configuration and customization options available, it’s not possible to discuss every potential audit concern. In addition, SAP’s ongoing changes and improvements to their applications make specific configuration advice a moving target. However, I can provide you with a framework that is independent of SAP module and version and can serve as an effective guide for designing and configuring appropriate business controls in and around your SAP system.

I am firmly convinced that, by understanding common business risks and typical audit concerns and by carefully managing the SAP implementation or upgrade process to account for these risks and concerns, organizations can eliminate nearly 90% of all audit findings. Beyond just reducing audit findings, however, applying the principles discussed in this article will make your SAP implementation more successful. Most audit issues merely identify situations in which a business condition potentially exposes the organization to more risk than management finds acceptable; a process exists — or doesn’t exist — that goes against management’s stated or desired intentions, or you have specifically identified an error or anomaly. Independent of an audit, your organization should proactively identify and understand each of these three situations and address them effectively in advance of your go-live date.

Steve Biskie

Steve Biskie has been working with SAP ERP systems for more than two decades, and is considered an international expert in SAP audit issues, risk management, and GRC. He was an expert reviewer for the book Security, Audit, and Control Features: SAP ERP (3rd Edition), and the author of Surviving an SAP Audit.

Steve will be presenting at the upcoming SAPinsider GRC 2017 conference, June 14-16, 2017, in Amsterdam. For information on the event, click here


See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.